Andrew Pease
@andythevariable
Followers
1K
Following
2K
Media
104
Statuses
492
Elastic Security Labs Technical Lead. Lawful Neutral. Threat Hunting with the Elastic Stack author. Retired CW4.
Joined May 2019
It's not too often we get to work shoulder-to-shoulder with the practitioners and researchers on the front lines. #REF3927 is an intrusion set that deploys SEO cloaking capabilities, RATs, webshells, and RMMs - largely using a novel IIS module we named #TOLLBOOTH
#ElasticSecurityLabs joins forces with @tamusystem and discloses TOLLBOOTH, an IIS module used for SEO abuse that relies on publicly exposed ASP. NET machine keys:
0
1
5
#RONINGLOADER -> PPL abuse, the new hotness.
#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant. Check it out at https://t.co/Df8JLO6w4d
0
7
32
Excited to publish this in a few days…
@elasticseclabs is currently researching a new family of IIS malware impacting a large number of organizations globally. With a US university-based MDR provider, we’ve observed a novel attack chain, RMMs, a Godzilla-forked framework, and a malicious driver. Details coming soon.
0
0
1
YAAAHHHSSSS
Introducing our V1 Video Model. It's fun, easy, and beautiful. Available at 10$/month, it's the first video model for *everyone* and it's available now.
0
0
0
As defenders it’s always interesting to see how TAs view the landscape vs. the commercial checkboxes. Iron sharpens iron, good red teams make good blue teams.
0
0
3
some detection/hunt rules to get started for SAP vuln CVE-2025-31324 : - JSP/JAVA/Class creation in the SAP IRJ dir. - Suspicious child processes indicating execution. https://t.co/NrY1D3kQGL
0
21
59
Huh? That’s weird… what is that? It kind of looks like it’s a… new #cybersecurity report? 🤔 We’re excited about this one. Look out for more this week.
0
5
18
Sometimes naming intrusions and families can be tough - but sometimes TAs do all the hard work. Sorry Shelby's, but @soolidsnakee and @bluish_red_ had to put you to the canvas. #shelbyc2 #shelbyloader #ref8685
0
0
6
The significant thing to note with the ABYSSWORKER intrusion is that this isn't just BYOD; it's BYO(Malicious)D, something that's not super common. Solid research and analysis by @cyril_t_f
Join @cyril_t_f and #ElasticSecurityLabs in exposing ABYSSWORKER, a malicious driver that silences #EDR tools and is distributed via the MEDUSA #ransomware. Get the deep details:
0
4
18
92 new OPEN, 106 new PRO (92 + 14) SocGholish, Lumma Stealer, REF7707, TA2726, NetSupport RAT, TA4903, TA399.... https://t.co/HijJOCd2rG
community.emergingthreats.net
Summary: 92 new OPEN, 106 new PRO (92 + 14) Added rules: Open: 2060116 - ET INFO DYNAMIC_DNS Query to a *.kendimas .com domain (info.rules) 2060117 - ET INFO DYNAMIC_DNS HTTP Request to a *.kendimas...
0
3
0
Elastic Security Labs researchers look into the REF7707 campaign targeting the foreign ministry of a South American country. The intrusion set utilized by REF7707 includes novel malware families such as FINALDRAFT, GUIDLOADER and PATHLOADER. https://t.co/zuI7yKAvoh
0
9
29
A very rewarding analysis of the #REF7707 intrusion set and infra as a compendium to the #FINALDRAFT and #PATHLOADER malware disclosure from #ElasticSecurityLabs.
You’ve learned about the malware, but what about the story behind it? Explore the twists and turns of REF7707 — an adversary campaign that spans the globe: https://t.co/yUWh5hulyR
#ElasticSecurityLabs #cybersecurity #cyberattack
0
4
14
adapter.radiws[.]com app.radiys[.]com support.anyconnact[.]com cloud.online-wsus[.]net probably related with @elastic report on #REF7707 infrastructure, naming convention also matches found with @ValidinLLC pivoting on indicators report: https://t.co/iieSMCWoB4
3
9
34
This is tremendously exciting. Bug bounty for rules - the commitment to openness and improvement continues. Iron sharpens iron.
We’re adding a new section to @elastic’s HackerOne Bounty Program! Today, we’re opening our SIEM and EDR rules for testing. We’re excited to have another way to thank our community for their efforts on our #detectionengineering. Get more details here:
0
0
4
Lets do an @elastic Behavior breakdown on this malicious #Python package, targeting #macOS, to include how we can detect and prevent threats like this featuring a sneak peek at one of the new data sources coming to our Elastic macOS agent very soon. Here is the link to the
checkmarx.com
Sophisticated malware campaign targeting cryptocurrency enthusiasts through malicious PyPI packages and GitHub repositories, aiming to steal crypto assets.
Researchers have uncovered a malicious Python package posing as a #cryptocurrency trading tool. Downloaded over 1,300 times before removal, this #malware affects Windows and macOS systems. Read: https://t.co/UhgJThU4GJ
#infosec #cybersecurity
1
21
36
Cool research by @DefSecSentinel great walkthrough of these Python "coding challenges" that the DPRK is continuing to float around. https://t.co/qyYrwgLguS
0
0
3
#ElasticSecurityLabs is introducing HexForge, our tool that enhances #IDAPro with manipulation capabilities built into the hex and disassembly views. HexForge makes it easy to copy and patch binary data and currently supports RC4, AES, ChaCha20, and XOR:
github.com
This IDA plugin extends the functionality of the assembly and hex view. With this plugin, you can conveniently decode/decrypt/alter data directly from the IDA Pro interface. - GitHub - elastic/Hex...
0
55
159
Another banger. Second part of the series. Dense, but I’ve not seen all this assembled together in the past.
The #linux detection engineering saga continues! Breakdown persistence techniques both simple and complex in this new article from @RFGroenewoud: https://t.co/l2FF7hO0z6
#ElasticSecurityLabs #detectionengineering
0
2
8
Brand new research on this newly discovered family. YARA, detection logic, rules included.
#ElasticSecurityLabs is exposing Banshee Stealer — a brand new macOS infostealer with ties to browsers and cryptocurrency. This MaaS collects an immense amount of data, but you can get the details and protections here: https://t.co/kthMoyRVG4
#malware #cryptocurrency #macos
0
1
3
This is crazy. Wild it’s been exploitable so long. 🤞 a patch comes soon 🤞 Catch @dez_ at #BHUSA to get the skinny.
This new article from @dez_ reveals 4 attack techniques linked to SmartScreen and SmartAppControl. Check it out: https://t.co/73Src39xie Will you be at #BHUSA? Stop by @elastic booth #2350 to chat with Joe or catch his lightning talk! #ElasticSecurityLabs #threattechnique
0
6
17